Forensics Sources Part 3: File Systems

Background:

Digital forensics can be described as the science of identifying, extracting, and preserving computer logs, files, cookies, cache, meta-data, internet searches, and any other legally admissible evidence that could be used to solve crimes committed using internet connected infrastructure.

Although most investigations focus on computers, evidence is not limited to workstations and laptops. In recent years, forensics teams have expanded their searches to include social networks, file sharing solutions, cloud service providers, mobile devices, third party applications, and more.

Complicating matters further, some people access the internet from different devices and use multiple web browsers daily, including as Internet Explorer, Chrome, and Firefox. Therefore, forensics investigations can involve correlating multi-device URL visits, cookies, time data was accessed, search terms, caches, and downloaded files.

This post will assess file system artifacts that could be used in a digital forensics investigation. The event types are limited to network intrusion detection, malware installation, and file deletion.

The analysis will include commentary about challenges that are common when gathering and inspecting the forensics data. Security professionals must also understand the usefulness of forensics data, so the discussion will include an analysis of how file systems should be prioritized during investigations.

The forensics rankings used:

Primary Sources=most likely to have relevant data

Secondary Sources=may contain relevant data

Tertiary Sources=may contain supporting data.

File System Explained

File system tracing, or file system forensics, has the broadest potential for providing the investigator with a wealth of information about what happened to the target system.

With few exceptions, all events on a system will leave a forensic “footprint” within the file system:

A change in a file (date, time, last accession)

The creation or deletion of a file

An increase/decrease in space utilization

Memory that is subsequently written out to a pagefile,

A log of process events

Each can provide clues that will aid an investigator with reconstructing events on the impacted host.

File System Collection & Examination Challenges

Introduction

How file system data is collected varies depending on the operating system being used and the state of the system being profiled, and ultimately the need of the collection.

In all cases, a file system should be preserved as close to the condition where it was first impacted as possible. Changes as subtle as system boots can dramatically change file system access times, file sizes, and other potentially relevant information useful for reconstruction.

Forensically valid copies of the file system will generally not only capture the file system but also other areas of the hard disk where the file system resides, as there is the potential for data to be in spaces not commonly allocated for file system usage.

Further, either software or hardware write blockers should be used to facilitate extraction.

These should be used along with system relevant tools to perform the block-level image from the hard disk to some other form of offline storage for further analysis away from the target system.

There are some challenges, however associated with capturing file system data.

In order to retrieve data from a failed system, the general harmonics of the hard disk must be sound. If the disk is failing or has failed (physical damage such as a platter crash, for example), retrieving data becomes much more difficult. The mechanics of the drive may not allow for read access to the data areas of the device.

Further, file system actions on files (deletions, particularly) do not completely delete a file, and there is a period of time where they are forensically still “available”.

However, they have been de-referenced in the file system pointers and the space they occupied reallocated as free space available for writing, and can be overwritten.

Lastly, external impacts, such as malware, can alter the operation of a file system, and cause it to behave erratically, and therefore yield different forensic results upon acquisition.

File System Priorities in Intrusions, Malware, and File Deletion Events

Common forensic practice would dictate that investigators work from the impacted system or systems outward.

Translation: from the file system/memory/logical evidence of the host, to logical evidence on the local network, to logical evidence of devices on the broader network, and so on and so forth…until a complete picture of the event has been reconstructed to the extent possible.

The file system of an impacted host will generally always yield more information about what happened than any other source available to a forensics investigator, and the usefulness of the file system in the investigation cannot be underrated or discounted.

File System Priority in Network Intrusions

In most network intrusions, a system or systems is the target of the intrusion, and the targeted systems are impacted in some fashion:

Completely destroyed

Denial of service by filling up file volumes or memory

Compromising files with a known or unknown exploit

Or any combination thereof…

Subsequently, all of these actions will manifest themselves within the file system and can be forensically harvested as a primary source and used for reconstructive evidence in an investigation.

File System Priority Malware Installations

In order for malware to persist to an impacted system, it must write an executable to the file system, and subsequently may also alter other system files to accommodate its needs to persist and proliferate.

Changes to the registry (Windows targets), file allocation tables, MAC tables and the like can all provide critical information to investigators looking to understand how the malware was able to infect, persist, and proliferate.

Those changes can also leave clues about what file actions were required in order to enable those activities. This allows file systems to serve as primary sources of evidence in the advent of an investigation.

File System Priority in Insider File deletions

Using the file system to determine whether a file was deleted is a fairly trivial task forensically. Providing attribution as to who deleted the file via the file system largely depends on the file system and how it manages access control on its files, and much more involved.

Definitive attribution is often a combination of multiple factors that ties file system, system logs, and network events together in a correlative fashion to determine whether the action can be linked to activity on the local network.

Even then, further attribution is often an assumption without additional indicators. Other evidence includes metadata concerning the type of system used or direct correlative actions involving known assets. Therefore, this is a secondary source.

Summary of key findings

File systems house the forensic “footprint” on devices, including file changes, creations, deletions, and space utilization. The main challenges are disk failures and susceptibility to malware infections.

File systems are priority data sources for network intrusions and malware installations. However, they are a secondary source for insider file deletion investigations.

This concludes Part 3 of a 4 Part Series on data sources could be used in a digital forensics investigation.